Password-stealing Trojan arrives

A fresh round of spam with a password-stealing Trojan detected on Sunday uses a German-language pitch, saying the malicious attachment is an official Microsoft Windows update.

German spam spreading malware

By
Jeremy Kirk
| 30 May 2006

A fresh round of spam with a password-stealing Trojan detected on Sunday uses a German-language pitch, saying the malicious attachment is an official Microsoft Windows update.

The attached malware, called Trojan-PSW.Win32.Sinowal.u, was detected by antivirus software developer Kaspersky Lab. Roel Schouwenberg, a senior research engineer at the company, said it is a next-generation Trojan that's on the rise. The Sinowal family of malware was first detected in December, and first seeded on malicious websites.

If a user visited the site without a properly patched browser, the software would install itself, allowing it to harvest login and password information for some European banks' sites, Schouwenberg said. The Sinowal family of malware may have been created in Russia, since the malware code contains some Russian, he said.

The latest spam messages have a .de email address. Rather than depending on a browser exploit to install itself, the latest version of Sinowal tries to trick users into installing it. The message, written in German, claims that a worm is on the loose, and that the recipient should run the attached file to protect their system.

Schouwenberg said the malware writers may have decided to send it by mass email if the browser exploit approach wasn't working as well.

The Sinowal Trojan is a type of 'man-in-the-middle' malware. Even if a user has started an SSL (Secure Sockets Layer) transaction with a bank, the Sinowal Trojan can insert HTML (hypertext markup language) code that causes a pop-up window asking for a user name and password. It is programmed to react to certain bank sites.

"This is something we are going to see more and more, and it will really make life hard," Schouwenberg said.

The malware is unique since it then sends that information immediately to the hacker's server rather than storing the information for periodic transmission, Schouwenberg said. The Trojan is also capable of checking for updates of itself.